About Brandon_Wertz

The unknown catagory: The website has not yet been categorized, so it does not exist in the URL filtering database on the firewall or in the URL cloud database.   This covers a percentage of what would fall under the <24/48 life span window of a new domain, however you still run the issue of it just being a domain that hasn't been injected in the URL DB but could have been online for sometime.   Also we are really interested in the "Last registared date" not the original. This should be an easy implementation as it seems like a simpler catagory to implment based on the availability of the information over some of the more complex categories that require a more time consuming process to classify. ... View more

Thank you for the suggestions. Issue got resolved by applying decryption on forward proxy. ... View more

Excellent. Thanks.  ... View more

@Brandon_Wertz Hi Thanks for your response. I totally agree if you have a multi homed design. unfortunately we haven't and can't re engineer the edge at the moment. This is just a separate circuit to upload specific source vlans (subnets) to a customer.   thanks   Simon ... View more

Thank you all for your replies. We are currently running OS 8.0.2. We had recently upgraded to 8.0.1, but had to upgrade again last week for a memory leak that appears to be ongoing.   Regarding decryption, we have a decryption policy that applies to most of our staff through AD group membership as well as a no-decrypt policy for select sites we have determined do not decrypt correctly. I am not certain if our policy is set to allow access on error. I will have to look further in to that.   I'm not sure if the reason could be lack of resources. I know that the PA500 is on the low end of the model list. I occassionally see the dataplane cpu usage get rather high, but generally it's not too bad. ... View more

Hello   And we have "new one" without killing-switch http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch ... View more

Hello, GP cannot filter traffic, it just creates the VPN tunnel and from there you can tunnel all traffic through the PAN and filter it there.  You could restrict the user profiles to prevent them from stopping the service? Honestly not sure jhow you can accomplish more without having more tools/software at your disposal. However if anyone else has any input I'm all ears.   Regards, ... View more

Which PAN-OS version are you running? ... View more

and by this information it does not show the log reciever as particularly high to me as for the volume of logs    PID     USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 31021 root  20 0 953m 213m 6444 S 159.0 5.4 131:38.93 mgmtsrvr 4139 root 20 0 1272m 435m 7200 S  5.6 11.0 3977:01 logrcvr 26265 nobody 20 0 149m 26m 6032 S 0.7 0.7 13:39.07 appweb3 12839 root 20 0 12948 2352 1648 S 0.3 0.1 47:41.76 packet_path_pin 26411 nobody 20 0 114m 7648 4456 S 0.3 0.2 9:22.34 appweb3   Pluse the amount of logs that are listed on the disk    Filesystem Size Used Avail Use% Mounted on /dev/md3 3.8G 3.1G 519M 86% / /dev/md5 7.6G 3.2G 4.0G 45% /opt/pancfg /dev/md6 3.8G 2.6G 1019M 73% /opt/panrepo tmpfs 2.0G 116M 1.9G 6% /dev/shm cgroup_root 2.0G 0 2.0G 0% /cgroup /dev/md8 198G 120G 69G 64% /opt/panlogs   Also that it occurs during the preview of a commit and the commit I am not sure may need to re-engage TAC. I have received a lot of good information from all of you with not real obvious problem ... View more

I could not find anything in the guides that each of these links should be in a separate VLAN. Sure my first though was to configure separate VLANs but wanted to know whether this will work without issues. Then there is TAC support issue!   Thanks all! ... View more

Thanks to both of you for the recommendations and background info.  Since we use ISE for wireless authentication we're going to try syslog monitoring of it with a fallback to captive portal if needed. ... View more

I deal with this by having an additional pair of switches between the Palos and Routers. I use HSRP on the switches for failover. if a circuit fails, the active PA can still find the route to whichever router is active. The Routers and the PAs all sit on the same vlan.   The routers themselves are using BGP with our registered AS number and multiple prepends to create a prefered route out our primary ISP. To handle a failure deeper in the ISP, but not at our local link, I use SLAs on the routers to shut down the BGP neighbour, which will force a cutover to my backup.   On the routers inside interfaces, I create a subinterface using HSRP so each router uses the same gateway IP, so no matter which router is active, the same gateway IP is responding.   This allows you to use Active/Passive in your config. ... View more

Brandon,    Yes - in my example 'test' is a custom URL category that I used when I was validating this.  The example I was working out was actually for a customer that required a redirect to a 3rd party web server for quarantining users, but you could just as easily use the script to update the DOM to display a completely different set of text / layout based on the URL category.  Or you could do as your example pointed out and send users to different landing pages on your own web server.  Pretty much anything you can do with javascript can be done in place of the redirect in my script...     ... View more

or a cloud firewall ( AWS/Azure/... ) with always-on Global protect 😉 ... View more